Redirecting you to Developer Center... Click here if you are not automatically redirected.
UEFI Secure Boot and BitLocker are the keystone features of a locked-down Windows OS that is resilient against offline and boot attacks. UEFI Secure Boot is the first policy enforcement point, located in UEFI. It restricts the system to only allow execution of binaries signed by a specified authority. This feature prevents unknown code from being executed on the platform and potentially weakening the security posture of it. Note that while the limitation to a defined set of publishing authorities excludes all unknown code, it does not necessarily prevent known bad code from being executed (e.g. rollback attack).
Windows 10 IoT Core also implements a lightweight version of BitLocker Device Encryption, which has a strong dependency on the presence of a TPM on the platform, including the necessary preOS protocol in UEFI that conducts the necessary measurements. These preOS measurements ensure that the OS later has a definitive record of how the OS was launched; however, it does not enforce any execution restrictions.
Together, Secure and Measured Boot provide the optimal protection that ensures that a platform will launch in a defined way, while locking out unknown binaries and protecting user data through the use of device encryption.
The following Windows 10 IoT Core supported platforms provide firmware TPM capabilities out of the box, along with Secure Boot, Measured Boot and BitLocker capabilities:
This section is pertinent if you are a hardware device manufacturer or developer that wants to create your own UEFI Secure Boot and BitLocker data recovery certificates in order to lock down the platform.
Note: For testing purposes, you may skip this section and use the pre-generated certificates provided in the subsequent section.
Details on Secure Boot along with key creation and management guidance is available here. The below contents are provided for demonstration purposes only and should be adjusted based on your specific product security requirements.
In order to generate the necessary certificates, we’ll make use of the following tools:
These tools are available within the Windows developer kits, which are generally installed along with Visual Studio. With default settings, these binaries are normally located under C:\Program Files (x86)\Windows Kits\10\bin. Additionally, a set of Windows code signing certificates will also be required. Download the zip from here, unpack and proceed with the following steps:
Note that the included script also provides the information required to secure the DRA key by binding it to the TPM of the platform or create it securely on a SmartCard.
In order to quickly test and deploy UEFI Secure Boot and Device Encryption functionality when security is not a priority, you can use a set of pre-generated certificates and keys (which are used for illustration) in the subsequent sections below. Please note that since the private keys are included in this published package, the resulting platform cannot be considered trusted or secure. You should download the zip from here unpack, and point to these files in the subsequent sections below.
For the following steps, we’ll assume that you’ve flashed the latest Windows 10 IoT Core image for your board (instructions available here based on your specific board) and that the “MainOS” volume is mounted as volume “v:” on your Windows 10 PC.
reg load HKLM\IoT v:\Windows\System32\config\SOFTWARE
reg import DRAStore.reg(point to your ‘DRAStore.reg’ file location)
reg unload HKLM\IoT
Note: BitLocker functionality on Windows 10 IoT Core allows for automatic encryption of NTFS-based OS volume while binding all available NTFS data volumes to it. For this, it’s necessary to ensure that the EFIESP volume GUID is set correctly. If you’re using the DragonBoard 410c, you’ll need to provide these additional instructions within your administrative CMD window:
sel disk n(n for disk number that maps to the DragonBoard under USB Mass Storage Mode)
sel parition m(partition # for EFIESP partition - ‘28’ for DragonBoard410c under Windows 10 IoT Core)
Note: OEMs and device builders may need to setup Secure Boot and enable BitLocker on their IoT devices at scale. Please refer to the OEM preparation and deployment guidance documentation to learn more on how to build an OS image with custom files and settings.
Depending on your device, you may need to ensure that firmware settings are updated to enable firmware TPM and Secure Boot:
### UEFI Secure Boot
Once the device is set and the image prepared, boot the device into Windows and connect to the device from your Windows 10 PC through a remote PowerShell session (instructions on how to connect via PowerShell are availale here).
Run the following 3 commands from within the remote powershell session to set UEFI secure variables:
FWVar.exe put imagesecurity:db c:\efi\SetVariable_db.bin NV BS RT TA
FWVar.exe put efiglobal:KEK c:\efi\SetVariable_kek.bin NV BS RT TA
FWVar.exe put efiglobal:PK c:\efi\SetVariable_pk.bin NV BS RT TA
Next, in order to complete lock-down of the platform, reboot device using the command
Note: On an Intel MinnowBoardMax, you may need to manually enable SecureBoot in UEFI. Power up board with a keyboard connected and press F2 to enter UEFI setup. Go to Device Manager -> Secure Boot Configuration -> Attempt Secure Boot and enable this option _
In order to enable BitLocker, the device encryption task must be scheduled. This device encryption task is set to trigger when the TPM is provisioned and ready, also ensuring that device encryption stays enabled on all subsequent boots (should the volume be decrypted offline at any time). Once Secure Boot has been setup and the device booted up, re-initiate a remote PowerShell session and create a new (or append to existing) file labelled “OEMCustomization.cmd” under c:\windows\system32 using the following command:
new-item c:\windows\system32\OEMCustomization.cmd -type file -value 'schtasks /Create /TN "\Microsoft\Windows\IoT\DeviceEncryption" /XML c:\efi\DETask.xml /f'
When attempting to read contents from an encrypted device offline (e.g. SD card for MinnowBoardMax or DragonBoard’s eMMC through USB mass storage mode), ‘diskpart’ may be used to assign a drive letter to MainOS and Data volume (let’s assume v: for MainOS and w: for Data).
The volumes will appear locked and need to be manually unlocked. This can be done on any machine that has the BitLockerDRA.pfx certificate package installed (included in attachment above). Install the PFX and then run the following commands from an administrative CMD prompt:
manage-bde -unlock v: -cert -cf BitLockerDRA.cer
manage-bde -unlock w: -cert -cf BitLockerDRA.cer
If the contents need to be frequently accessed offline, BitLocker autounlock can be set up for the volumes after the initial unlock using the following commands:
manage-bde -autounlock v: -enable
manage-bde -autounlock w: -enable
Should there arise a need to temporarily disable BitLocker, initate a remote PowerShell session with your IoT device and run the following command:
Note: Dvice encryption will be re-enabled on subsequent device boot unless the scheduled encryption task is disabled.